Major retailer hit by cyber criminals

NetSafe is warning businesses to be on the alert after a major retail chain was targeted by overseas cyber criminals in a well planned phishing attack that attempted to convince store staff to install rogue software on their computers.

IT staff at the company, which NetSafe would not name, found employees at one branch had downloaded a file and infected computer systems after being called by an individual claiming to work for the chain.

The caller, who identified himself as a senior member of the company, directed employees to a fake website that was designed to look like the official tech support site.

Staff at the store then downloaded a malicious program that tried to take over computers.

The company's IT staff noticed what was happening and blocked further access to the fake website on all their systems before cleaning up and alerting all stores to the bogus caller, NetSafe's cyber security programme manager Chris Hails said.

No data was accessed or lost.

"The effort that has gone into creating a convincing fake website and the use of a real executive's name is what concerns us," Hails said.

"The website which delivered the malicious software was designed using the company's branding, logo and corporate style and the criminals had gone to some effort to register a .co.nz URL which contained the chain's name."

The FBI warned Americans back in July that spear phishing attacks targeting business executives and selected companies were on the rise but this is the first time NetSafe had received this kind of report from a New Zealand company, Hails said.

The website was registered to a Nigerian address through an Indian company and based in Switzerland.

Hails said the overseas criminals involved could try to use this set-up again to target another New Zealand business and he encouraged companies to warn their staff about those kinds of threats arriving via email and over the phone.

Hails said the retail chain had asked Netsafe to keep its identity confidential but wanted others to be aware of the scam.

"Although there were no losses, the company felt there was the potential for people to feel they couldn't trust them any more," he said.

"Given the amount of stories about data breaches, there was the fear people would assume they don't know what they're doing, which is definitely not the case."

Hails said the retailer was "a large company by New Zealand standards".

"They knew within minutes what was going on with the downloads, which shows they're well-defended."

Andy Prow, managing director of Aura Information Security, said spear phishing was the name for more targeted forms of phishing.

"Phishing is when you put out a wide net and don't know what you're going to catch. Spear phishing is when you're on a more targeted attack against a specific company," he said.

"As an attacker, you've done some analysis, maybe you've even worked for the company, but you know their systems and how they work."

Prow said Kiwi businesses were far more vulnerable if attacks came in a personal form, such as with the retail chain involved this time.

"As soon as there's real humans involved we as Kiwis are more vulnerable because we're extremely trusting."

He said businesses needed to prepare for these types of attacks by giving staff a process to follow whenever someone called up making commands.

"Management have to realise that spear phishing is real. They have to mandate from above and must give junior staff a clear chain of command."